Section: New Results

High Security Lab

Participants : Alexandre Boeglin [contact] , Olivier Festor, Mohamed Nassar.

The objective of the High Security Lab at INRIA Nancy Grant Est is to provide both the infrastructure and the legal envelope to researchers to perform sensitive security oriented experimentations. We do contribute to this laboratory by (1) designing and operating a large network telescope and (2) performing vulnerability assessment research, network data and malware collection and analysis.

During the year 2011, some maintenance tasks have been carried out on the High Security lab:

• the SDSL line, which previously had a capacity of 1Mbps, has been upgraded to a 2Mbps line, and traffic shaping rules have been added to the router, that allow honeypots to run alongside experiments, without impacting them,

• the storage capacity of our database server, which was starting to get full, has been multiplied by four, and existing data has been migrated to the new equipment.

A set of new experiments have also been deployed:

• a server has been dedicated to a new variant of SGNet, for the VAMPIRE project. This one specifically targets attacks on SIP services, which the other one cannot do,

• in collaboration with the INRIA Nancy Grant Est IT service, we started to log public (thus anonymous) DNS queries and responses made by the research center's recursive DNS servers, to use the collected data as input set for experiments.

In 2011 we worked also on the automated analysis of malware taces to extract flow-level signatures of malware. We obtained early results regarding network flow-graphs and tested several clustering techniques to separate malware traffic.